(Jul 31, 2015)
Ah, end of July in the midst of a wonderful heat wave (thank god for air conditioning). Are you thinking about back to school already? A privacy pro from a federal crown corporation who was thinking about her own back-to-school—aka privacy education—needs reached out to me this week for advice on which certification to obtain: the CIPP/C or the CIPM. It’s a question I get frequently enough, so I thought I’d outline my response here in the Digest in case others were wondering the same thing.
The...
Read More

(Jul 31, 2015)
Communications Security Establishment (CSE) introduced mandatory privacy-awareness training following an internal breach back in March, The Canadian Press reports. CSE’s Greta Bossenmaier told employees at the time, “I seriously regret that we are in this situation and never want it to be repeated … As such, we must use it as a learning opportunity so that we can prevent any further incidents from occurring." Bossenmaier told staff “to review the new privacy protocol, take the mandatory training, exercise care when assigning access permissions to documents, remain alert to any ‘serious anomalies’ in information management and immediately report any problems,” the report states.
Read More

(Jul 31, 2015)
In a feature for The Globe and Mail, Dentons’ Chantal Bernier, former interim privacy commissioner of Canada, writes about the “unusually high number of significant privacy law developments” Canadian businesses must contend with, including rules on online behavioral advertising, the Digital Privacy Act and the stricter privacy obligations Canadian businesses operating in the EU will face “with the adoption by the Council of Ministers of a position on the Draft European Regulation on Data Protection.” Bernier sums up the implications of each of the developments, noting, “As the landscape changes to bring privacy law in line with technological and commercial trends, Canadian businesses must study the road map in order to take the right course.”
Read More

(Jul 31, 2015)
The Federal Court of Canada has certified a class-action suit in the Health Canada Marijuana Medical Access mailing case, allowing those affected to pursue compensation, CBC reports. While the Office of the Privacy Commissioner in March ruled in favor of victims who had argued “their privacy had been violated,” the ruling did not include compensation. The case involves a 2013 mailer to 40,000 enrolled members of Marijuana Medical Access Program that used envelopes with its name emblazoned on them, which “opened us up for discrimination," said Maritimers Unite for Medical Marijuana Society Chair Debbie Stultz-Giffin. "Certainly as patients we have a right to that level of privacy about our health conditions or what we chose to use as our medicine."
Read More

(Jul 30, 2015)
With the rollout Wednesday of Microsoft’s new operating system, Windows 10, many praised its new features while others expressed concerns about user privacy, Information Age reports. For those using Windows 7 or 8, the upgrade is free, but some are pointing out that comes with a privacy trade-off, as has been demonstrated in Microsoft’s new privacy policy and services agreement, the report states. Microsoft Deputy General Counsel Horacio Gutiérrez said the company’s new dashboard creates a “straightforward resource for understanding Microsoft’s commitments to protecting individual privacy with these services.”
Read More

(Jul 29, 2015)
With regulators around the world calling for organizations to be accountable with their privacy practices, often privacy officers struggle to manage such requirements with limited resources. The challenges faced by privacy officers can include “communicating a definitive privacy-management program, leveraging and motivating individuals throughout the organization and justifying the business case to obtain the necessary resources,” writes Nymity President and Founder Terry McQuay, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM. In this post for Privacy Perspectives, McQuay discusses how privacy officers can implement successful privacy-management activities by using a resource-based approach.
Read More

(Jul 29, 2015)
Monitoring a user’s keystrokes, “a sort of digital fingerprint that can betray its owner’s identity,” has been identified by security researchers as a threat for Tor users, Ars Technica reports. “The risk to anonymity and privacy is that you can profile me and log what I am doing on one page and then compare that to the profile you have built on another page,” said security researcher Runa Sandvik. “Suddenly, the IP address I am using to connect to these two sites matters much less." Researchers Per Thorsheim and Paul Moore developed a Chrome plugin to ward off these attacks. "For oppressive regimes, this is most certainly of high interest," Thorsheim said.
Read More

(Jul 28, 2015)
A study by Tractica indicates that as widespread interest in drone use grows so will the need for more sophisticated data analysis and protection, IT Canada reports. “There are many other IT considerations,” Tractica’s Bob Lockhart said in the report. “Just like other mobile devices, drones are targets for theft of data and intellectual property, and drone inputs could affect certifications such as ISO9001 or ISO27001 for information security.” Data storage policies should also be in place. “Drones could produce huge amounts of data for organizations that are not used to large data volumes, so organizations should have a data science program ready in advance, he said, and know where the data be stored and processed,” the report states.
Read More

(Jul 27, 2015)
This week’s Privacy Tracker roundup highlights a controversial new antiterrorism law in Kuwait that would see mandatory DNA collection from all citizens, residents and visitors to the country. Also, Russia has passed a right-to-be-forgotten law, and Ireland is expected to pass a new law giving adopted individuals access to their birth certificates. In the U.S., another student privacy bill has been introduced while senators who have already proposed student privacy bills hope to work together to push a single bill forward. Also, there’s a new bill aiming to reform FISMA, and the courts have been busy deciding on Neiman Marcus, butt-dialing, a Florida healthcare privacy law and Facebook denying search warrants. (IAPP member login required.)
Read More

(Jul 27, 2015)
RSA Chief Technology Officer Zulfikar Ramzan believes breach prevention requires a proactive attitude and wise budgeting in favor of security, BankInfo Security reports. “Security practitioners need to eliminate the perimeter and adopt a prevention mindset to establish the security maturity of the organization in dealing with cyber threats," Ramzan said. “Learning to distinguish between an intrusion and breach and working out ways to respond to breaches are critical.” The current status quo of allocating money toward prevention ought to be similarly revised, he suggests, recommending “organizations allocate one-third of their budgets to each of those disciplines to build a better breach response framework,” the report states.
Read More

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.Learn more

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.